North Korean Hackers Deploy 26 Malicious npm Packages Concealing Cross-Platform RAT via Pastebin C2
In a sophisticated escalation of the Contagious Interview campaign, cybersecurity experts have identified 26 malicious packages uploaded to the npm registry by North Korean state-sponsored actors. These packages, masquerading as legitimate developer tools, are engineered to deploy a cross-platform Remote Access Trojan (RAT) by leveraging Pastebin as a command-and-control (C2) mechanism.
Deceptive npm Packages and Their Mechanism
The identified packages include:
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
– [email protected]
Each of these packages contains an install.js script that executes upon installation, triggering a malicious payload located in vendor/scrypt-js/version.js. To enhance their credibility, these packages declare the legitimate libraries they mimic as dependencies, a tactic known as typosquatting.
Steganographic Techniques and Pastebin Utilization
The malicious payload employs text steganography to extract C2 URLs embedded within seemingly innocuous Pastebin posts. These posts, appearing as benign computer science essays, have specific characters altered at regular intervals to encode hidden infrastructure addresses. The decoder within the payload processes these texts by:
1. Removing zero-width Unicode characters.
2. Reading a five-digit length marker at the beginning.
3. Calculating evenly spaced character positions throughout the text.
4. Extracting characters at these positions to reconstruct C2 domain names.
This method allows the malware to dynamically retrieve its C2 infrastructure, complicating detection and mitigation efforts.
Cross-Platform Payload Deployment
Once the C2 domains are decoded, the malware contacts these servers to download platform-specific payloads tailored for Windows, macOS, and Linux systems. For instance, one such domain, ext-checkdin.vercel[.]app, serves a shell script that subsequently fetches the RAT component. This Trojan connects to the IP address 103.106.67[.]63:1244, awaiting further instructions.
Comprehensive Intelligence Collection Suite
Upon successful deployment, the RAT activates a suite of nine modules designed for extensive data collection and system manipulation:
1. VS Code Persistence: Utilizes a malicious tasks.js file to maintain access within Visual Studio Code environments.
2. Keylogging and Clipboard Theft: Monitors and records keystrokes and clipboard data to capture sensitive information.
3. Browser Credential Harvesting: Extracts stored credentials from web browsers.
4. TruffleHog Secret Scanning: Scans for exposed secrets and credentials within code repositories.
5. Git Repository Exfiltration: Accesses and exfiltrates data from Git repositories.
6. SSH Key Theft: Steals SSH keys to facilitate unauthorized access to other systems.
7. System Profiling: Gathers detailed information about the infected system’s hardware and software configurations.
8. Network Reconnaissance: Maps the network environment to identify potential targets and vulnerabilities.
9. Command Execution: Executes arbitrary commands received from the C2 server, allowing for dynamic control over the compromised system.
Implications and Recommendations
This campaign underscores the evolving sophistication of North Korean cyber operations, particularly their ability to infiltrate trusted open-source ecosystems. By embedding malicious code within widely used npm packages, these actors can achieve widespread distribution and prolonged persistence within target environments.
Recommendations for Developers:
– Vigilant Package Selection: Scrutinize the authenticity of npm packages before installation. Verify the publisher’s credibility and check for any anomalies in the package’s metadata.
– Regular Dependency Audits: Conduct periodic reviews of project dependencies to identify and remove any that are unnecessary or potentially compromised.
– Implement Security Tools: Utilize security tools and services that can detect and alert on suspicious package behavior or known vulnerabilities.
– Stay Informed: Keep abreast of the latest cybersecurity threats and advisories related to software supply chain attacks.
By adopting these practices, developers can mitigate the risk of inadvertently incorporating malicious code into their projects, thereby safeguarding their systems and data against such sophisticated threats.
